Uploaded image for project: 'Node.js Driver'
  1. Node.js Driver
  2. NODE-4297

upgrade kerberos dependency to use only ansi-regex ^6.0.1 due to Security Vulnerability

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Done
    • Priority: Icon: Unknown Unknown
    • kerberos-2.0.1
    • Affects Version/s: kerberos-1.1.7, kerberos-2.0.0
    • Component/s: None
    • 2
    • None
    • Not Needed
    • None
    • None
    • None
    • None
    • None
    • None

      Summary

      Security Vulnerabilities in kerberos 2.0.0

      This vulnerability comes from ansi-regex@2.1.1, which is a transitive dependency.
      the solution is to upgrade depndency 

      Motivation

      How does this affect the end user?

      Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the sub-patterns{{ [\\]()#;?}} and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_])*.

      Is this issue urgent?

      yes, possible ReDoS

       

       

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807

        1.
        		 Upgrade prebuild-install to 7.1.1 for FLE bindings v2 NODE-4372 Sub-task Closed Neal Beeken  
        2.
        		 Upgrade prebuild-install to 7.1.1 for Keberos v2 NODE-4373 Sub-task Closed Neal Beeken  

            Assignee:
            neal.beeken@mongodb.com Neal Beeken
            Reporter:
            moscovih@post.bgu.ac.il Hadas Moscovici
            Neal Beeken
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: